Pages

Monday, February 29, 2016

BPPC is not just for XDS/XCA

There is a general misunderstanding that the BPPC (profile of CDA for capturing patient privacy consent)
profile is only useful for XDS (document based Health Information
Exchange) and XCA (Federation of document based Health Information
Exchanges of various types) environments. The reality is that it is
most valuable when used in XDS and XCA; but it has an important role
to play in push models like XDR profile and XDM
(publication on removable media and zip based packages) profile. It is a
different value...

BPPC
could apply to any topology of exchange. The reality is that BPPC is
only ever needed when ONE organization captures consent that applies to
ANOTHER organization.

When no need to expose Privacy Consent

Most Privacy Consents, by number of Privacy Consents captured, are an authorization to
release within that Enterprise. This is completely local issue that doesn't need to be made visible beyond those systems involved in the capture and enforcement of that Privacy Consent, a local issue. This is often simply allowing the Enterprise Role-Based-Access-Control to allow the authorized Roles to do the authorized Actions. This does not mean the Privacy Consent isn't important, it is important. This only means that exposing the details of the Privacy Consent using a standard adds very little value. Thus this is often managed fully within the EHR as proprietary solution. It could use BPPC or later standard.

Authorizing HIE Disclosure

The next most prevalent is a Privacy Consent that authorizes release to others. Meaning that ONE organization captures
consent that authorizes them to release data they control to others (organizations, individuals, etc). In this case
that ONE organization is responsible for executing (enforcing) that
consent. The other organizations never need to known about the consent,
certainly not the details of the consent; they either get the data or
are denied the data. It might come with obligations, but those are much
easier to encode on the transaction than deep within consent language. This is the most common use-case for enabling an organization to expose patient data through an HIE. Where I am using a broad term for HIE, not limited to XDS.

In this case the Privacy Consent that the organization captured is not useful for others to see. The other actors in the HIE ask for data, which they either get or not. There is little that asking organization/individual can do to change the decision.

These are why there isn’t much actual use of consent in HIE’s; because it
is eventually realized to be a local matter.

When Privacy Consent is managed in the HIE

The first case where the consent is captured in a centralized way,
such as where the HIE infrastructure organization is given the
responsibility to capture consent. Having the HIE managing the Privacy Consent allows the consent to be region based, rather than organization-by-organization. This has scale advantages. The drawback to this model is that the singular consent needs to address all the variability that patients might need. In this case they need to publish
that it is okay for specific uses.

The special cases might be broad cases, like any normal (Role-Based-Access-Control) for Treatment and Billing. This can be addressed by BPPC through an identified Patient Privacy Consent Policy, that the patient has agreed to. This enables the simple go or not case.

The special cases are where
the consent is actually a set of specific ‘use’ instructions. That is
that it is a policy that is not a simple authorization to release under normal Role-Based-Access-Control; but
an authorization to release with conditions (constraints). --- Note,
there is IHE work going on right now to address this, going beyond BPPC.

When Privacy Consent is sent to the Requesting Party

A targeted case
is where there is a need to carry the evidence of consent (authorization
to release) along with the documents being released. In this case the
BPPC document is not there for enforcement, but rather simply as a
Document of Consent. This might be more useful when the Privacy Consent can carry more exacting rules than BPPC, so we might see this show up more with the new work in IHE on "Advanced Patient Privacy Consents" (or whatever it ends up being named).

So the case for BPPC use with XDR, XDM and Direct; are less obvious. But they tend to fall into this last set of use-cases. This was the point of the blog article. The point is that there already is little need to communicate a Privacy Consent document, but where one does a PUSH through XDR, XDM, or Direct; one would only need it a fraction of the time.

Other Models

I am not trying to express all the models in one blog article. The point of the article was to show when a Privacy Consent document would need to be communicated in a PUSH transaction.

There are other models that are supported by Privacy Consent documents like BPPC. Such as where the Requesting Party is the one that has gathered the Privacy Consent (authorization to release to the requesting party). This use-case is used by some payers that need to express that they have gotten explicit authorization from the patient. Another use-case might be where a patient has authorized unusual access, such as when they are getting care in a different country or where they are authorizing a clinical research project.

There are models where the Privacy Consent registry is an independent agent. There are various models that put the patient at the center of the Control. In some of these models the patient gets to choose from a set of Privacy Consent registries, the one that they want to use to control their rules. This is the center of some usecases in HEART using User Managed Access (UMA). This is a very exciting concept. I am participating and expect it will produce useful specifications. This however is very radical, so I expect it will take many many years before we see this in the wild. I thus expect many years of overlapping solutions.

About Me

The information posted here are mine and not necessarily represent By Light Professional IT Services Inc. I am a Standards Architect specializing in Standards Architecture in Interoperability, Security, and Privacy for By Light Professional IT Services Inc. Primarily involved in the international standards development and the promulgation of those standards. Co-chair of the HL7 Security workgroup, a member of the FHIR Management Group, FHIR core team, and co-chair of IHE IT Infrastructure Planning Committee. Participate in ASTM, DICOM, HL7, IHE, ISO/TC-215, Kantara, W3C, IETF, OASIS-Open, and other. Was a core member of the Direct Project specification writing, authoring the security section, and supporting risk assessment. Active in many regional initiatives such as the S&I Framework, SMART, HEART, CommonWell, Carequality, Sequoia (NwHIN-Exchange), and WISHIN. Active in the Healthcare standardization since 1999, during which time authored various standards, profiles, and white papers.

Surely there are other copyright and trademarks that I should recognize, but everyone else seems to be reasonable; expecting readers of blogs know that I am not trying to claim or take ownership of their copyright and trademarks.